Re: Issue #68: VPNs with overlapping IP address ranges (was Re: 2401bis issues (possible) resolution)

[Michael Richardson <mcr@sandelman.ottawa.on.ca>]

-----BEGIN PGP SIGNED MESSAGE-----


>>>>> "Tero" == Tero Kivinen <kivinen@ssh.fi> writes:
    >> When a security Gateway is operating on behalf of multiple contexts
    >> (e.g. multiple subscribers, or multiple ppvpn-style overlay addressing
    >> contexts), it is essential that the initiator be able to convey to the
    >> responder which context is being addressed.

    Tero> Do not use IP addresses as a IKE SA identities then. Use the dns
    Tero> names or email addresses or something else. There is no need to use
    Tero> ip addresses in those cases (or actually using ip addresses would
    Tero> be quite bad, as it is not unique...).

  I concur.
  Particularly for IKEv2, the #1 reason to use IP addresses as IDs in IKEv1
was because of limitations of PSK.

]       ON HUMILITY: to err is human. To moo, bovine.           |  firewalls  [
]   Michael Richardson,    Xelerance Corporation, Ottawa, ON    |net architect[
] mcr@xelerance.com      http://www.sandelman.ottawa.on.ca/mcr/ |device driver[
] panic("Just another Debian GNU/Linux using, kernel hacking, security guy"); [
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)
Comment: Finger me for keys

iQCVAwUBP8uQmIqHRg3pndX9AQHAvgP+MQTjmsd6eV5y5x24EWJsf318xOW1o59v
AH/IC1/XjLMaottIAoEiIqxuZfvZJwCmZrwselIcHMhMy78XGclHHHWhX86mTFmQ
7miPmPe30NCKsWzNGd24qkBZYY02hVXrgr06tpVz+xejFG5ytogjU38iOaQhr2UZ
OicNqlCFEXg=
=XOxB
-----END PGP SIGNATURE-----